Re: [libvirt] [PATCH] Don't use O_TRUNC when opening QEMU logfiles
On Fri, Sep 21, 2012 at 12:54:25PM +0100, Richard W.M. Jones wrote:
On Fri, Sep 21, 2012 at 10:39:19AM +0100, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange(a)redhat.com>
>
> SELinux wants all log files opened with O_APPEND. When
> running non-root though, libvirtd likes to use O_TRUNC
> to avoid log files growing in size indefinitely. Instead
> of using O_TRUNC though, we can use O_APPEND and then
> call ftruncate() which keeps SELinux happier.
As far as I can see, although this patch doesn't break anything, it
doesn't fix the SELinux problem either. SELinux still prevents qemu
from writing to the log. The AVCs look the same as before:
type=AVC msg=audit(1348227948.158:14174): avc: denied { append } for pid=13139
comm="qemu-kvm"
path="/home/rjones/.cache/libvirt/qemu/log/guestfs-wd6efsxohmy5jd2s.log"
dev="dm-5" ino=1870215 scontext=unconfined_u:unconfined_r:svirt_t:s0:c69,c512
tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
type=AVC msg=audit(1348227948.158:14174): avc: denied { append } for pid=13139
comm="qemu-kvm"
path="/home/rjones/.cache/libvirt/qemu/log/guestfs-wd6efsxohmy5jd2s.log"
dev="dm-5" ino=1870215 scontext=unconfined_u:unconfined_r:svirt_t:s0:c69,c512
tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
The target context here is unconfined_u:object_r:cache_home_t:s0 which
is wrong. The context ought to be virt_home_t instead of cache_home_t.
Try changing the libvirt directories to have virt_home_t as their type.
Then my patch ought to do something useful.
We need to check if SELinux policy knows about $HOME/.cache/libvirt
and $HOME/.config/libvirt, or whether it still only considers the
old location of $HOME/.libvirt
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|